Guest:

  • Due to the sensitivity of client information, the guests and company identity in this episode are not identified.

Nisos Attributes and Unmasks Insider Threat Saboteurs Who Caused $1M in Business Loss


In Episode 5 of Know Your Adversary™, we discuss a 2018 Nisos insider threat investigation of network sabotage that caused almost $1,000,000 in business operations loss. Following a recent merger and acquisition transaction, IT engineers of the nearly acquired subsidiary were upset with their new roles. They were also disgruntled over the fact that the parent company refused to integrate with their open source and cloud infrastructure. They decided to resign (one unbeknownst to the parent company), sabotage the core subsidiary routers, delete all activity of their wrongdoing, and actively conspired to steer the investigation away from their actions while accepting new employment. The results of the sabotage were a complete subsidiary network outage for over a week and a subsequent Nisos and FBI investigation that led to the arrest and detention of one co-conspirator.

We will focus on the investigation, recovery, and attribution of threat actors with heightened focus on post-M&A activity. These exigent situations are often a perfect storm of insider control of systems and disgruntled employees seeking to cause damage at any expense.

Here are some of the key takeaways from the episode:

  1. Company acquisitions are often a merger of cultures and visions. Plans should be in place to ensure proper roles, responsibilities, and accountability post-acquisition are fully considered. Some deliberation should go towards personnel who may maintain heightened privilege access in the network.
  2. Proper diligence should be conducted on IT and security programs pre-diligence as a matter of routine just like financials and compliance. A plan should be in place to integrate company infrastructure on Day 1 of close post acquisition.
  3. Ensuring confidentiality, integrity, and availability of data, systems, and networks following a breach or incident is crucial. Initiating attribution of identities matters in investigations, especially those deemed to be insider threats.
  4. Attribution almost certainly involves “going outside the firewall” and looking for operational security mistakes and artifacts of bad actors.

In this investigation, the discovery of a third-party virtual server Linode instance ultimately gave critical evidence leading to high confidence in attribution.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks